Report Ups Fears of Cardiac Device Hacking

But investment firm's profit motive muddies the water

(Reuters) -- The stock of pacemaker manufacturer St. Jude Medical fell sharply on Thursday after short-selling firm Muddy Waters said it had placed a bet that the shares would fall, claiming its implanted heart devices were vulnerable to cyber attacks.

St. Jude, which agreed in April to sell itself for $25 billion to Abbott Laboratories, said the allegations were false. St Jude shares closed down 4.96%, the biggest 1-day fall in 7 months and at a 7.4% discount to Abbott's takeover offer.

Muddy Waters head Carson Block said the firm's position was motivated by research from a cyber security firm, MedSec Holdings, which has a financial arrangement with Muddy Waters. MedSec asserted that St. Jude's heart devices were vulnerable to cyber attack and were a risk to patients.

A MedSec report warned of two primary hacks on St. Jude pacemakers and defibrillators: One that could cause implanted devices to pace at potentially dangerous rates and one that drains their batteries.

MedSec approached Muddy Waters about 3 months ago and the two struck a deal under which Block agreed to hire MedSec as a consultant, pay it a licensing fee for research and a percentage of any profits from the investment, Block told Reuters.

Reuters was not able to confirm the allegations by Block and MedSec, a firm founded 18 months ago focusing on cyber vulnerabilities in the healthcare industry. The allegations were detailed in a report published on the Muddy Waters website.

The Department of Homeland Security and the Food and Drug Administration, which work together to investigate and remediate life-threatening cyber vulnerabilities in medical equipment, declined comment on St. Jude.

Josh Corman, co-founder of I am the Cavalry, a group that has worked to establish standard procedures for privately disclosing vulnerabilities to manufacturers, said he was surprised St. Jude had been singled out. He said he was aware of other nonpublic research showing other device makers have cyber vulnerabilities.

"They may have a basis for singling out this one company, but it feels arbitrary and capricious. It doesn't ring true," said Corman.

Unprecedented Approach

Cyber security experts said that it was unprecedented for a cyber security researcher to go public with research about cyber bugs as part of a short-selling strategy.

Researchers typically disclose bugs by approaching affected firms, working through intermediaries who communicate on their behalf, or presenting them at peer-reviewed cyber conferences.

MedSec Chief Executive Justine Bone told Reuters that her firm decided to not adhere to those practices.

"We have expenses we incur. This is a business relationship," she told Reuters. "But our goal here is to bring this to the attention of the public."

MedSec's report said "low-level" hackers could exploit security vulnerabilities in devices that St. Jude uses to enable doctors to remotely access data on their patients' implanted pacemakers and defibrillators, which use electricity to stabilize.

St. Jude Chief Technology Officer Philip Ebeling said there were several layers of security in place for its devices.

"We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin@home and on all our devices," Ebeling said in a statement.

Block also said he has taken a "long" position in Abbott, a bet that its stock will rise. A representative for Abbott had no comment.

Abbott dropped 0.76% to close around a 1-month low of $42.84. At that price, Abbott's takeover offer for St. Jude was valued at $84.06 a share.

Were St. Jude's fortunes to deteriorate significantly, Abbott could seek to cite a material-adverse-effect clause built into most acquisition contracts to back out of its merger agreement. Abbott would not be required to pay a termination fee.

In practice, such moves are rare, because the legal threshold is high for showing an adverse impact on business.

Abbott is already seeking to pull out of one deal this year. The company offered Alere up to $50 million to terminate its $5.8 billion acquisition after the medical testing device maker was hit by accounting issues. Alere, however, has so far resisted efforts by Abbott to end that deal.

Block, who announced his firm's position on Twitter, told Reuters that his firm felt that MedSec was correct to single out St. Jude because "none of their competitors are anywhere close to this bad." He said that one of his firm's researchers had replicated some of MedSec's findings.

Researchers tested second-hand Merlin@home devices obtained on eBay, among the hundreds of thousands that are in use, the report said. It said St. Jude pushed out a software update to some Merlin@home devices but that it "represented a very slight change in security."

Accessibility Statement

At MedPage Today, we are committed to ensuring that individuals with disabilities can access all of the content offered by MedPage Today through our website and other properties. If you are having trouble accessing www.medpagetoday.com, MedPageToday's mobile apps, please email legal@ziffdavis.com for assistance. Please put "ADA Inquiry" in the subject line of your email.